Firefox 55.0: find out what is new

Mozilla Firefox 55.0 has been released by Mozilla. The official release date of Firefox 55.0 is August 8, 2017. The new version of the web browser is already available, and will be offered on August 8 to existing users of the web browser provided that they have turned updates on.

Firefox 55.0 breaks compatibility with older versions of the browser and Firefox ESR. Users who want to downgrade are advised to back up their profiles prior to installing the update.

Firefox Beta, Nightly and ESR versions are also updated on the day. Firefox Beta is moved to Firefox 56.0, Firefox Nightly to Firefox 57.0, and Firefox ESR to 52.3.

Executive Summary

• You cannot restore an older version / migrate to Firefox ESR after the upgrade to Firefox 55.
• Firefox 55.0 is the first version of Firefox that moves directly from Nightly to Beta.
• The new WebExtensions permissions systems is enabled.
• Firefox startup session restore time has improved significantly.

Firefox 55.0 download and update

Direct download links for Firefox installation files:

• Firefox Stable download
• Firefox Beta download
• Nightly download
• Firefox ESR download
• Firefox unbranded builds information

Firefox 55.0 Changes

WebExtensions Permissions system is live

Firefox 55 ships with a permissions system for WebExtensions. These are displayed to the user during installation of a WebExtension in the web browser, and during updates if new permissions are requested.

A dialog is displayed to the user whenever a WebExtension is installed that requires permissions, and when a WebExtension is updated that requires new permissions.

Firefox lists the requested permissions, e.g. access browser tabs, and users may continue with the installation or update by selecting "add" or "update", or cancel the process.

Adobe Flash plugin restrictions

Mozilla set the Adobe Flash plugin to click-to-play by default, and decided to restrict Flash to http and https pages.

Mozilla notes that the change is rolled out gradually, and may not be visible immediately to all users.

• 5% of users two weeks after release.
• 25% of users a month after release.
• 100% of users six weeks after release.

Search suggestions enabled by default

Search suggestions, those displayed in the Firefox address bar when a user starts to type, are now enabled for all users except those who have opted out.

Firefox users can manage search engines and suggestions by loading about:preferences#search in the browser's address bar.

Users who don't want or require search suggestions can turn them off by removing the checkmark from "provide search suggestions" and "show search suggestions in location bar results".

New "Performance" section in Settings

Firefox 55 ships with a new performance section in Settings. Firefox users may select to run the browser with the recommended performance settings, or customize the following performance-related options:

• Toggle hardware acceleration.
• Set a content process limits for multi-process functionality.

Page Shot screenshot functionality

Firefox 55 users may notice a new screenshots icon in the Firefox main toolbar. This icon is not visible to all users at release, as Mozilla wants to run an A/B test first.

Those Firefox users who have it in their browser already may use it to capture a region of the web browser, or a page, and save it locally or online on https://screenshots.firefox.com/.

Other Firefox 55.0 changes

• Firefox session restore startup time improved a lot.
• Added Belorussian locale.
• Assign custom shortcuts to Firefox on Mac OS X via System Preferences > Keyboard > Shortcuts.
• Firefox 55 marks the beginning of theme support. The browser.theme.update API is available which features similar capabilities as Firefox lightweight themes.
• Geolocation API requires secure origin. Same is true for Storage API.
• Loading of mixed content allowed on localhost.
• Print preview feature to simplify print jobs.
• Remote jar files are not loaded by default anymore. Mozilla disabled support for the jar: protocol back in Firefox 45, but had to re-enable it because it broke IBM iNotes functionality. Firefox 55 disables jar: again as IBM updated iNotes so that it no longer requires remote jars. Firefox users who require the functionality may switch network.jar.block-remote-files to false to restore it. (Bug 1329336)
• Sidebar can be moved to the right.
• Support for WebVR.
• WebExtensions performance improvements, e.g. host matching, lazy loading APIs and more.
• Windows Stub installer simplified, option to select installation directory or program shortcuts removed. Firefox users need to use the full installer for these options.

Developer Changes

• about:debugging page changes. Temporary add-ons are listed at the top, a remove button is now available, and help is shown if an extension has a temporary ID.
• Extensions may disable WebRTC.
• Network Monitor: show hide columns, remote IP, protocol, scheme, cookies and set cookies columns, filtering of network requests by column values and other properties, and regular expressions.
• New APIs: Collaborative Scheduling of Background Tasks API, WebVR 1.1 API, Intersection Observer API.
• Proxy API to insert proxy configuration files into Firefox.
• runtime.onMessageExternal API implemented to allow communication between WebExtensions add-ons.
• Support for EME on insecure contexts deprecated.
• webRequest API improvements, e.g. declining requests before cookies are processed.

Firefox 55.0 for Android

The following features are new or changed on Android (apart from those that were mentioned already for Firefox for the desktop):

• Option to zoom with one hand using double tap and drag gestures.
• Greek and Lao locales added.
• Accessibility settings have an option to respect the system's font size when displaying web pages.

Firefox 55.0.1

Firefox 55.0.1 was released on August 10, 2017.  It is a bug fix release that fixes the following issues in Firefox 55:

• A rendering issue with "some" PKCS#11 libraries.
• What's new page not displayed under some conditions.
• Tab restoration process regression.
• Disabled the predictor prefetch.

Security updates / fixes

Security changes are announced after the official release. We will update the review when Mozilla publishes them.

• CVE-2017-7798: XUL injection in the style editor in devtools
• CVE-2017-7800: Use-after-free in WebSockets during disconnection
• CVE-2017-7801: Use-after-free with marquee during window resizing
• CVE-2017-7809: Use-after-free while deleting attached editor DOM node
• CVE-2017-7784: Use-after-free with image observers
• CVE-2017-7802: Use-after-free resizing image elements
• CVE-2017-7785: Buffer overflow manipulating ARIA attributes in DOM
• CVE-2017-7786: Buffer overflow while painting non-displayable SVG
• CVE-2017-7806: Use-after-free in layer manager with SVG
• CVE-2017-7753: Out-of-bounds read with cached style data and pseudo-elements
• CVE-2017-7787: Same-origin policy bypass with iframes through page reloads
• CVE-2017-7807: Domain hijacking through AppCache fallback
• CVE-2017-7792: Buffer overflow viewing certificates with an extremely long OID
• CVE-2017-7804: Memory protection bypass through WindowsDllDetourPatcher
• CVE-2017-7791: Spoofing following page navigation with data: protocol and modal alerts
• CVE-2017-7808: CSP information leak with frame-ancestors containing paths
• CVE-2017-7782: WindowsDllDetourPatcher allocates memory without DEP protections
• CVE-2017-7781: Elliptic curve point addition error when using mixed Jacobian-affine coordinates
• CVE-2017-7794: Linux file truncation via sandbox broker
• CVE-2017-7803: CSP containing 'sandbox' improperly applied
• CVE-2017-7799: Self-XSS XUL injection in about:webrtc
• CVE-2017-7783: DOS attack through long username in URL
• CVE-2017-7788: Sandboxed about:srcdoc iframes do not inherit CSP directives
• CVE-2017-7789: Failure to enable HSTS when two STS headers are sent for a connection
• CVE-2017-7790: Windows crash reporter reads extra memory for some non-null-terminated registry values
• CVE-2017-7796: Windows updater can delete any file named update.log
• CVE-2017-7797: Response header name interning leaks across origins
• CVE-2017-7780: Memory safety bugs fixed in Firefox 55
• CVE-2017-7779: Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3

Firefox ESR security fixes are listed here.

Additional information / sources

• Firefox 55 release notes
• Firefox 55.0.1 release notes
• Firefox 55 Android release notes
• Add-on compatibility for Firefox 55
• Firefox 55 for Developers
• Site compatibility for Firefox 55
• Firefox Security Advisories